28 June 2017

Allying Public and Private Forces on the Front Lines of Cybersecurity

Few security challenges muddle the distinction between government and business roles as those emanating from cyberspace. National security issues no longer remain solely under the purview of government agencies, and companies continue to find themselves in the sights of foreign adversaries.

Moreover, attacks against commercial products have geopolitical ramifications. Software and hardware companies are at the root of voting technology, a foundation of modern democracies, and everyday electronic devices – designed by private companies, but used by all – are compromised by hostile entities to steal, destabilize, and misguide. Diplomacy, espionage, business, and war are now ingrained with commercially created and maintained digital technology and the vivid line between private interests and public security is dwindling.

Information sharing between government and the businesses at the frontline of the virtual battlefield has always been a key component of further strengthening a country's resilience to hacking campaigns by foreign governments, criminals, and hacktivists. Combining the forensic evidence of attacks against private companies, particularly those running a country’s critical infrastructure, with actionable intelligence sourced using the relegated powers of government is needed to better manage cybersecurity risks.

Such information sharing is the first step in mitigating the danger inherent in the technology that fuels the global economy and societal and political engagement. However, while industry is responsible for sharing instances of breaches, there are proprietary, privacy, and reputational considerations that can inhibit their willingness to do so freely.

There are also major inhibitions to the free flow of information from government to industry – most notably the risk of compromising intelligence sources and methods.

Rob Joyce, currently the National Security Council Cybersecurity Coordinator who previously had held senior positions in both offensive and defensive missions at the NSA, argues that while information sharing must be improved, it should be approached carefully. “One of the challenges we have had is the sensitive intelligence we gather is perishable,” he argues, “so you have got to strike that balance between operationalizing and finding a way to use it and not ruining your ability to know those threats on a continuing basis.” At a more practical level, “chances are if we are dealing with companies then they are already penetrated,” Joyce argues, “so we don’t want to show the people that are penetrating them what we know about them.”

The U.S. government is relatively adept at sharing intelligence on cyber threats internally. For example, the Cyber Threat and Intelligence Center under the Office of the Director of National Intelligence is intended to serve as the primary portal for intelligence agencies to share cyber threat data with agencies such as the Homeland Security Department and the FBI. The DHS, through its cyber information-sharing hub, the National Cybersecurity Communications Integration Center, is then able to act as the primary vehicle for government sharing with industry.

Intelligence on those who pose cyber threats, such as indictors of compromise and adversary tactics, techniques, and procedures, are pushed out through DHS reports and by the U.S. Cyber Emergency Response Team (US-CERT) alerts. Recent warnings of North Korean government hacking campaigns or a new Russia-linked malware known as Crash Overdrive capable of crippling power grids show how the U.S. government provides information to industry to better protect themselves.

Furthermore, some 90 percent of previously unknown software vulnerabilities discovered by the Intelligence Community are pushed out to vendors through DHS after undergoing the National Security Council’s Vulnerabilities Equities Process. For example, following the theft of NSA hacking tools by the Shadow Brokers, the NSA, likely through the DHS, reportedly informed Microsoft of the crucial zero-day vulnerability, allowing Microsoft to develop a patch a month before the NSA tool was weaponized by North Korea to spread the WannaCry ransomware across 150 countries. US-CERT had also advised businesses in January to disable the avenue through which WannaCry was later propagated – although, the warning, for some, apparently had fallen on deaf ears.

The presence of government bodies, such as DHS, that insulate intelligence agencies from industry is notable. Adding layers of bureaucracy to public-private collaboration in cybersecurity decreases the timeliness of the information shared. After all, warning companies they are being targeted the day after their systems have been breached is hardly an effective model. At the same time, James Clapper, the former Director of National Intelligence argues “The DHS is the appropriate storefront and that’s the way it ought to be. I don’t think the spy crowd should be directly engaging with the private sector.”

Yet this is precisely what the United Kingdom is seeking to do with its new National Cyber Security Centre (NCSC), which is revamping the way British intelligence agencies collaborate with private industry by leaning toward more open and direct exchanges to help secure the UK against cyber attacks.

Chris Inglis, the former Deputy Director of the NSA, argues that the UK has proposed to “radically transform collaboration between intelligence agencies and the private sector.” Practically, this has meant bringing in some 650 people from the Government Communications Headquarters (GCHQ), the UK’s primary signals intelligence agency, and having them work directly alongside industry partners. There have already been significant reports resulting from NCSC collaboration with industry partners to outline major cyber campaigns by foreign adversaries.

The close technical cooperation between government and industry that takes place at the NCSC shows that the best responses to advanced threats and reliable attribution for those responsible is difficult to determine without intelligence collection methods – authorities broadly reserved for governments. “There is sensitive information and specialist technical advice that the NCSC can provide to private sector companies given that it is part of GCHQ, itself a world-leading gather of digital intelligence,” argues David Omand, the former head of GCHQ and the UK’s first Security and Intelligence Coordinator. “This is the application of the poacher-turned-gamekeeper principle.”

Under the NCSC’s collaborative model, Inglis says, “the protocol driving their work will first and foremost be done in the unclassified sphere, and then only by exception, they’ll determine which of the discoveries made will then be taken back to a classified corner to ensure it’s dealt with in the most effective manner.”

The opposite is true in the U.S.; work is done in a highly classified setting and only pushed out to industry after a rigorous internal process. Last week, Gregory Touhill, the former Director of NCCIC at DHS, wrote in his statement to the House Science, Space and Technology Committee that “well-intentioned government entities over-classify information,” which “stifles the timely sharing of information in an environment that already moves at light speed.” Rather, Touhill argues that the U.S. ought to reexamine its classification process and, “instead of making the highest classification the default setting for data collection and dissemination, we out to flip the default to a shareable setting.” Doing so would demand that classification only occur after a deliberative determination that the information is sufficiently sensitive to withhold.

While clearing individuals in the private sector can lessen issues of over-classification to some extent, other inhibitions remain.

“The challenge, of course, that we have in the U.S. is scaling up on a much larger scale than what the UK is confronted with,” argues Clapper. This is particularly the case in determining which companies get a seat at the table. Clapper asks, “So who is it that you are going to pick and choose to include in the tent and who will you not? That is a real challenge we have.”